Show advisories for only Drupal Core, only contributed projects, or only PSAs

oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048

Date: 
2025-May-07
Security risk: 
Moderately critical 10 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2025-47702

This module extends the core Media module and allows site creators to permit oEmbed providers in addition to YouTube and Vimeo, which are deemed trustworthy by the Drupal Security Team.

The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be granted too broadly and to users without the ability to adequately vet providers. A malicious provider could execute a Cross Site Scripting (XSS) attack.

Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047

Date: 
2025-May-07
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-47701

The Restrict route by IP module provides an interface to manage route restriction by IP address.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability is mitigated by the fact that you need to know the route machine name.

Search API Solr - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-046

Date: 
2025-April-23
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3907

This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability is mitigated by the fact that a site admin would have to perform further steps after the attack for it to have any effect.

Sportsleague - Critical - Unsupported - SA-CONTRIB-2025-045

Date: 
2025-April-23
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3904

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

UEditor - 百度编辑器 - Critical - Unsupported - SA-CONTRIB-2025-044

Date: 
2025-April-23
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3903

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Block Class - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-043

Date: 
2025-April-23
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-3902

Block Class enables you to add custom attributes to blocks.

The module did not sufficiently sanitize custom attribute input, allowing for potential XSS attacks when malicious JavaScript was injected as a custom attribute.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer block classes".

Bootstrap Site Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-042

Date: 
2025-April-23
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3901

This module enables you to put a site wide bootstrap themed alert message on the top of every page.

The module doesn't sufficiently filter text input when leading to a possible XSS attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer bootstrap site alerts".

Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041

Date: 
2025-April-23
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3900

Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page.

The Colorbox module doesn't sufficiently sanitize data attributes before opening modals.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Drupal 8 Google Optimize Hide Page - Critical - Unsupported - SA-CONTRIB-2025-040

Date: 
2025-April-16
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3739

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Google Optimize - Critical - Unsupported - SA-CONTRIB-2025-039

Date: 
2025-April-16
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3738

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Pages

Subscribe with RSS Subscribe to Security advisories